For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites. From a report: The attacks, which began in January 2020, consisted of adding servers to the Tor network and marking them as "exit relays," which are the servers through which traffic leaves the Tor network to re-enter the public internet after being anonymized. But since January 2020, a threat actor has been inserting thousands of malicious servers into the Tor network to identify traffic heading to cryptocurrency mixing websites and perform an SSL stripping attack, which is when traffic is downgraded from an encrypted HTTPS connection to plaintext HTTP. The belief is that the attacker has been downgrading traffic to HTTP in order to replace cryptocurrency addresses with their own and hijack transactions for their own profit. The attacks are not new and were first documented and exposed last year, in August, by a security researcher and Tor node operator known as Nusenu. At the time, the researcher said the attacker managed to flood the Tor network with malicious Tor exit relays on three occasions, peaking their attack infrastructure at around 23% of the entire Tor network's exit capacity before being shut down by the Tor team on every occasion.

An anonymous reader quotes a report from the BBC: There remains "little association" between technology use and mental-health problems, a study of more than 430,000 10 to 15-year-olds suggests. The Oxford Internet Institute compared TV viewing, social-media and device use with feelings of depression, suicidal tendencies and behavioral problems. It found a small drop in association between depression and social-media use and TV viewing, from 1991 to 2019. There was a small rise in that between emotional issues and social-media use. "We couldn't tell the difference between social-media impact and mental health in 2010 and 2019," study co-author Prof Andrew Przybylski. said. "We're not saying that fewer happy people use more social media. We're saying that the connection is not getting stronger." The paper is published in the journal Clinical Psychological Science.

wiredmikey shares a report from SecurityWeek: Security researchers have shown how a Tesla -- and possibly other cars -- can be hacked remotely without any user interaction from a drone. This was the result of research conducted last year by Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris. The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models. "Tesla patched the vulnerabilities with an update pushed out in October 2020, and it has reportedly stopped using ConnMan," the report notes. Since the ConnMan component is widely used in the automotive industry, similar attacks could be launched against other vehicles.

"There are simply too many points of uncertainty for us to move forward with confidence right now," explains a FAQ addressing this year's cancellation for the annual Burning Man festival.

"The physical, psychic, and emotional impacts of this pandemic are real and the recovery from this experience will happen at different rates of speed," organizers said in an announcement. "This is the time to gather with our friends, crews, families and communities..." They also argued that in an abstract sense, "Burning Man is happening right NOW, all around you," urging people to create experiences, opportunities and connection at the local level. (Their suggestions include planning to join a mass "Burn Night" livestreaming event on September 4, or preparing for "Virtual Burning Man" from August 21 to September 5, 2021.)

Last year's virtual event drew 165,000 participants, reports NPR, adding that this year's cancellation of a mass real-world gathering "has put many people in the event's host community at ease." Wary of a trend of rising coronavirus cases in some parts of the region, Washoe County's district health officer Kevin Dick said "the right call was made," in order to lower the risk of spreading infection.
And SFist also notes the festival's "Invitation to the Future" program "where $2,500 buys you a reservation to buy tickets whenever they do announce the event — but that $2,500 does not get you a ticket." "This is a reservation that will guarantee someone the ability to purchase a regular priced ticket for the next two editions of Black Rock City," the Burning Man Project communications team says in an email to SFist...

Per the fine print of this arrangement, there will be only 1,000 of these $2,500 reservations that are essentially tickets to buy tickets... "It's going very well!," Burning Man's communications team tells us. "We're so grateful for our generous community. As of this writing, we have only a few hundred left...."

Burning Man has to get creative, and maybe perks for big spenders is an acceptable one-time trade-off to ensure its ongoing solvency. The project has gone nearly two years since its last infusion of direct ticket revenue, and the permits and attorney fees necessary to pull off this event on federal land have not gotten any cheaper despite the pandemic.

An anonymous reader quotes a report from CNBC: A second cryptocurrency exchange has collapsed in Turkey amid a crackdown on the industry. The platform, Vebitcoin, said in a brief statement on its website that it has ceased all activities after facing financial strain and that it would update clients on the situation as soon as possible. Days earlier, Thodex, went offline with its CEO reportedly leaving the country. Local media reports say Thodex founder Faruk Fatih Ozer flew to Albania, taking $2 billion of investors' funds with him. Turkey has issued an international arrest warrant for Ozer, while 62 people were detained in connection with complaints filed against Thodex.

Turkish authorities have blocked Vebitcoin's domestic bank accounts and detained four people as part of a probe into the exchange, Reuters reported Saturday. According to CoinGecko data, Vebitcoin had almost $60 million in daily trading volumes prior to its collapse. Some Turks have turned to crypto as a way to protect their savings from skyrocketing inflation and the weakening of its currency, the lira. But there have been growing calls for regulation of the market due to concerns around fraudulent activity. Earlier this month, Turkey's central bank banned the use of digital assets for payments. And President Recep Tayyip Erdogan has called for swift regulation, warning of pyramid schemes emerging in the crypto markets.

Jack Dorsey, the co-founder and CEO of Twitter, tweeted Wednesday that bitcoin "incentivises renewable energy." And Elon Musk responded "True."

The BBC adds that the tweets came "despite experts warning otherwise." The cyrptocurrency's carbon footprint is as large as some of the world's biggest cities, studies suggest. But Mr Dorsey claims that could change if bitcoin miners worked hand-in-hand with renewable energy firms.

One expert said it was a "cynical attempt to greenwash" bitcoin. China, where more than two-thirds of power is from coal, accounts for more than 75% of bitcoin mining around the world...

The tweet comes soon after the release of a White Paper from Mr Dorsey's digital payment services firm Square, and global asset management business ARK Invest. Entitled "Bitcoin as key to an abundant, clean energy future", the paper argues that "bitcoin miners are unique energy buyers", because they offer flexibility, pay in a cryptocurrency, and can be based anywhere with an internet connection. "By combining miners with renewables and storage projects, we believe it could improve the returns for project investors and developers, moving more solar and wind projects into profitable territory," it said.

Author and bitcoin critic David Gerard described the paper as a "cynical exercise in bitcoin greenwashing".

"The reality is: bitcoin runs on coal," he told the BBC.... "Bitcoin mining is so ghastly and egregious that the number one job of bitcoin promoters is to make excuses for it — any excuse at all."

An anonymous reader quotes a report from ZDNet: Now, thanks to Comcast and Broadcom, we're seeing the first tests of full-duplex (FDX) DOCSIS 4 system-on-chip (SoC) devices. Comcast's tests, done between Philadelphia and Denver, show that FDX can work with DOCSIS 4. FDX enables cable internet providers to run a high-speed internet connection both upstream and downstream simultaneously. In other words, while you won't see symmetric speeds, you will someday see 10 Gbps downstream and 6 Gbps upstream over Comcast's hybrid-fiber coaxial (HFC) network. Comcast has been working towards this for years. The company has been working to bring DOCSIS 4 FDX to market pretty much since CableLabs' set the specification in 2017.

There is another way to deliver DOCSIS 4 speeds: Extended Spectrum DOCSIS (ESD). This is easier to deploy since it "only" raises to 1.8Gbps while keeping downstream and upstream traffic separate as has been the case with previous DOCSIS versions. Comcast, though, is investing heavily in chasing the top price of 10Gbps. It's possible that a single chipset could support both FDX and ESD, but we're still years away from that silicon being forged. [...] In the tests, which use experimental Broadcom SoCs, in a simulated network environment, they hit speeds of over 4Gbps both up and downstream simultaneously. This was done using DOCSIS 4's echo cancellation and overlapping spectrum techniques. The businesses expect future optimization to push the throughput even faster. We still don't know when these speeds will arrive in our small offices/home offices (SOHO). CableLabs doesn't even expect to test hardware for DOCSIS 4 certification until 2022. Nor, has Comcast announced any kind of deployment roadmap.

What do you call a collection of black holes? The question has taken on an urgency among astronomers inspired by the recent news of dozens of black holes buzzing around the center of a nearby cluster of stars. The New York Times: In the last few years, instruments like the LIGO and Virgo gravitational-wave detectors have recorded space-time vibrations from the collisions of black holes, making it clear beyond doubt that these monstrous concentrations of nothingness not only exist but are ubiquitous. Astronomers anticipate spotting a great number of these Einsteinian creatures when the next generation of gravitational-wave antennas are deployed. What will they call them? There are gaggles of geese, pods of whales and murders of crows. What term would do justice to the special nature of black holes? A mass? A colander? A scream?

Jocelyn Kelly Holley-Bockelmann, an astrophysicist at Vanderbilt University, and colleagues are developing an international project called the Laser Interferometer Space Antenna, or LISA, that will be able to detect collisions between all sizes of black holes throughout the universe. She was trying to run a Zoom meeting of the group recently "when one of the members said his daughter was wondering what you call a collective of black holes -- and then the meeting fell apart, with everyone trying to up one another," she said in an email. "Each time I saw a suggestion, I had to stop and giggle like a loon, which egged us all on more." The question was crowdsourced on Twitter recently as part of what NASA has begun calling black hole week (April 12-16). Among the many candidates so far: A crush. A mosh pit. A silence. A speckle. A hive. An enigma. Or a favorite of mine for of its connection to my youth: an Albert Hall of black holes.

A hospital employee in Italy has been accused of skipping work on full pay for 15 years, local media report. From a report: The man is alleged to have stopped turning up to work at the Ciaccio hospital in the southern city of Catanzaro in 2005. He is now being investigated for fraud, extortion and abuse of office, Italian news agency Ansa reports. He was reportedly paid $649,500 in total over the years he is thought not to have been working. Six managers at the hospital are also being investigated in connection with the alleged absenteeism. The arrests are the result of a lengthy police investigation into absenteeism and suspected fraud in the Italian public sector.

Microsoft's Xbox Cloud Gaming service, previously known as xCloud, will begin rolling out in beta to iPhones, iPads and PCs this week. The service will be invite-only to start, Microsoft said in a blog post on Monday. From a report: Xbox Cloud Gaming was on track to launch for iPhones and iPads earlier, but Apple updated its App Store rules in September that impacted services like Xbox Gaming and Google Stadia. Apple's move forced the companies to use web browsers to redesign their services so that they could circumvent the App Store rules. Under the rules, Microsoft, Google and other companies with similar services would have had to offer each game as an individual download instead of offering a complete library the way Netflix does for movies.

Xbox Cloud Gaming is sort of like Netflix for games. People who subscribe to Microsoft's $14.99/month Xbox Game Pass Ultimate plan can access more than 100 titles. The cloud gaming aspect lets you stream the games without having to download them, provided you have a fast enough internet connection. The streaming option is already available for Android phones.

An anonymous reader quotes a report from Gizmodo: Throughout December, someone was setting fires at the Martin Luther King Jr. Community Presbyterian Church, a "predominately Black" congregation located in Springfield, Massachusetts. An FBI affidavit claims that the last of these fires, set on Dec. 28, "essentially destroyed" the building -- burning away large parts of the interior. During this period, the same person is suspected of having carried out a "series of tire-slashings" targeted at vehicles near or around the church -- a majority of which were owned by Black individuals. Now, 44-year-old Maine resident Dushko Vulchev has been arrested in connection to the crimes. He was charged in a federal court in Springfield on Thursday, a release from the U.S. Justice Department shows, and is potentially facing decades behind bars.

Court documents illustrate how state, local and federal authorities used a variety of surveillance footage and data collection to piece together Vulchev's whereabouts and place him at or near these crimes. In particular, the vandal slipped up when he allegedly slashed the tires of a Tesla located not far from the church. Authorities say one of the car's many pre-installed security cameras caught blatant images of the culprit as he damaged the tires, then later returned to steal them along with the vehicle's rims. "Based on my training and experience and this investigation, I am aware that the Tesla mentioned above is equipped with cameras at various points around the body," said the FBI agent who wrote the affidavit. "I have reviewed video footage retrieved from the Tesla showing an individual that I can identify as Vulchev...The video footage from the Tesla shows Vulchev at a close distance crouching near the Tesla and using a tire iron to remove the wheels." Using other data collected and a variety of local surveillance footage, law enforcement was able to build a case against Vulchev.

An anonymous reader quotes a report from TechCrunch: Facebook's lead data supervisor in the European Union has opened an investigation into whether the tech giant violated data protection rules vis-a-vis the leak of data reported earlier this month. Here's the Irish Data Protection Commission's statement:

"The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.

The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users' personal data. Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect." "We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services," Facebook said in a statement. "These features are common to many apps and we look forward to explaining them and the protections we have put in place."

If your heart stops en route to Mars, rest assured that researchers have considered how to carry out CPR in space. (One option is to plant your feet on the ceiling and extend your arms downwards to compress the patient's chest.) From a report: Astronauts, because of their age range and high physical fitness, are unlikely to suffer a stroke or have their appendix suddenly explode. That's good because, if it does happen, they're in the realm of what Jonathan Scott -- head of the medical projects and technology team at the European Space Agency -- describes as 'treatment futility.' In other words: there's nothing anyone can do about it. On the ISS, when medical incidents arise, astronauts can draw on the combined expertise of a host of medical experts at Nasa. "The patient is on the space station, the doctor is on the ground, and if there's a problem the patient consults the doctor," says Scott. By the time astronauts reach Mars, there'll be a 40-minute time lag in communications, if it's possible to make contact at all. "We have to begin preparing for not only being able to diagnose things in spaceflight but also to treat them as well," Scott says.

Artificial intelligence is likely to be a part of the solution. If you're imagining the holographic doctor from Star Trek, downgrade your expectations, at least for the next few decades. Kris Lehnhardt, the element scientist for exploration medical capability at Nasa, says: "We are many, many, many years away from: please state the nature of the medical emergency." Emmanuel Urquieta is deputy chief scientist at the Translational Institute for Space Health (TRISH), a Nasa-funded program which conducts research into healthcare for deep space missions. While full AI may be a way off, Urquieta believes some form of artificial intelligence will still play a crucial role. "It's going to be essential for a mission to Mars," he says. While the crew for a mission to Mars will likely include a medical doctor, he explains: "No single physician can know everything." And, of course: "What happens if that astronaut gets sick?" Research projects funded by TRISH include Butterfly iQ, a handheld ultrasound device for use by non-medical personnel to make diagnoses that would otherwise require bulky equipment and a trained operator. VisualDx is an AI diagnostics tool originally developed to analyse images and identify skin conditions. The technology is now being adapted to help astronauts diagnose a wide range of conditions most commonly encountered in space, without an internet connection.

An anonymous reader quotes a report from The Record: The company behind the UseCrypt Messenger encrypted instant messaging application filed a lawsuit last month against a Polish security researcher for publishing an article that exposed a vulnerability in the app's user invite mechanism. The lawsuit targets Tomasz Zieliski, the editor of Informatyk Zakadowy, a Polish blog dedicated to IT topics, and denounces one of the site's articles, published in October 2020. The article describes how Zielinski found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the application used an insecure domain (autofwd.com) to send out user invitations. Zielinski found that besides running on an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hijack the site and then read or tamper with UseCrypt invitations. But while the authors of the AutoFWD.com website admitted to the security weaknesses in their service and shut down their website, Zieliski received a firm rebuttal of his research from V440 SA, the legal entity behind the UseCrypt Messenger.

In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." V440 SA said their app did not use the AutoFWD.com service to handle user invitations but instead relied on an in-house solution hosted on the get.usecryptmessenger.com domain. But in a subsequent update, Zieliski claims that the UseCrypt team was lying and that, in reality, they silently patched their app to remove the AutoFWD.com from its user invite mechanism after his research was posted online and were merely trying to dismiss his findings, even after he notified them in advance of his research. To make matters worse, V440 SA had reportedly filed criminal complaints against not only Zielinksi's blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an "organized criminal group."

"Requests to remove articles, requests for apologies and other letters from law firms addressed to our editors will not make us stop being interested in a certain issue," the editors of the Polish blogs said in a joint statement. It's currently unknown if there is actually a criminal investigation underway against the three sites or if this is just an intimidation tactic.

Broadband use surged 30% to 40% during the COVID-19 pandemic in the US, and even reached 60% in some areas, an industry group has concluded. CNET reports: The Broadband Internet Technical Advisory Group released data this week that it gathered from internet service providers, broadband analytics firms, and networking companies that help deliver data. We all consumed more downstream data -- the flow from the internet to the home -- but upstream use grew faster. That's an important consideration given that most cable and DSL services offer much higher downstream capacity. All those videoconferences for work meetings and online schooling likely were involved in the upstream data traffic. "Some networks saw more than 300% increase in the amount of video conferencing traffic from February to October 2020," the report said.

Though the internet itself held up well overall, there are problems. "Rural and low-income households have struggled" with broadband access to online services, the report said, and some households suffered with older equipment that couldn't handle heavy traffic or the increase in networked devices in the home. If you're having problems at home, you should consider an Ethernet cable connection to your network router, upgrading to a mesh network with multiple network access points, upgrading your PC or phone, or paying for a faster internet connection if it's available.

An anonymous reader shares a report from Motherboard, written by Ben Munster: When you buy an NFT for potentially as much as an actual house, in most cases you're not purchasing an artwork or even an image file. Instead, you are buying a little bit of code that references a piece of media located somewhere else on the internet. This is where the problems begin. Ed Clements is a community manager for OpenSea who fields these kinds of problems daily. In an interview, he explained that digital artworks themselves are not immutably registered "on the blockchain" when a purchase is made. When you buy an artwork, rather, you're "minting" a new cryptographic signature that, when decoded, points to an image hosted elsewhere. This could be a regular website, or it might be the InterPlanetary File System, a large peer-to-peer file storage system.

Clements distinguished between the NFT artwork (the image) and the NFT, which is the little cryptographic signature that actually gets logged. "I use the analogy of OpenSea and similar platforms acting like windows into a gallery where your NFT is hanging," he said. "The platform can close the window whenever they want, but the NFT still exists and it is up to each platform to decide whether or not they want to close their window." [...] "Closing the window" on an NFT isn't difficult. NFTs are rendered visually only on the front-end of a given marketplace, where you see all the images on offer. All the front-end code does is sift through the alphanumeric soup on the blockchain to produce a URL that links to where the image is hosted, or less commonly metadata which describes the image. According to Clement: "the code that finds the information on the blockchain and displays the images and information is simply told, 'don't display this one.'"

An important point to reiterate is that while NFT artworks can be taken down, the NFTs themselves live inside Ethereum. This means that the NFT marketplaces can only interact with and interpret that data, but cannot edit or remove it. As long as the linked image hasn't been removed from its source, an NFT bought on OpenSea could still be viewed on Rarible, SuperRare, or whatever -- they are all just interfaces to the ledger. The kind of suppression detailed by Clements is likely the explanation for many cases of "missing" NFTs, such as one case documented on Reddit when user "elm099" complained that an NFT called "Big Boy Pants" had disappeared from his wallet. In this case, the user could see the NFT transaction logged on the blockchain, but couldn't find the image itself. In the case that an NFT artwork was actually removed at the source, rather than suppressed by a marketplace, then it would not display no matter which website you used. If you saved the image to your phone before it was removed, you could gaze at it while absorbing the aura of a cryptographic signature displayed on a second screen, but that could lessen the already-tenuous connection between NFT and artwork. If you're unable to find a record of the token itself on the Ethereum blockchain, it "has to do with even more arcane Ethereum minutiae," writes Ben Munster via Motherboard. He explains: "NFTs are generally represented by a form of token called the ERC-721. It's just as simple to locate this token's whereabouts as ether (Ethereum's in-house currency) and other tokens such as ERC-20s. The NFT marketplace SuperRare, for instance, sends tokens directly to buyers' wallets, where their movements can be tracked rather easily. The token can then generally be found under the ERC-721 tab. OpenSea, however, has been experimenting with a new new token variant: the ERC-1155, a 'multitoken' that designates collections of NFTs.

This token standard, novel as it is, isn't yet compatible with Etherscan. That means ERC-1155s saved on Ethereum don't show up, even if we know they are on the blockchain because the payments record is there, and the 'smart contracts' which process the sale are designed to fail instantly if the exchange can't be made. [...]"

In closing, Munster writes: "This is all illustrative of a common problem with Ethereum and cryptocurrencies generally, which despite being immutable and unhackable and abstractly perfect can only be taken advantage of via unreliable third-party applications."

Security researcher Brian Krebs wants you to know... "New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let's just get this out of the way right now: It wasn't me." The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with [a domain that begins with brian . krebsonsecurity... Not a safe domain.] Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and "honeypots" — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. "web shells") that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server's emails)... Shadowserver's honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file "krebsonsecurity.exe"... Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious. The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.

Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don't know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain. "Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports," Watson said.

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.
Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."

The US space agency says it expects now to fly the first helicopter on Mars in early April. From a report: The little chopper was carried to the Red Planet by the Perseverance rover, which made its dramatic landing in Jezero Crater just over a month ago. Called Ingenuity, the 1.8kg, twin-rotor aircraft will attempt a series of short hops in Mars' rarefied air. If successful, it would represent something of a "Wright Brothers moment", says Nasa. This is a reference of course to Orville and Wilbur Wright, who in 1903 conducted the historic first heavier-than-air, powered aircraft flight here on Earth. And to mark the connection, the agency revealed that a postage stamp-sized piece of fabric from a wing of the brothers' plane has been taped to Ingenuity.

At the moment, the chopper is still attached to Perseverance, to its belly. A protective covering was released at the weekend and in the coming days the craft will be lowered to the ground. Engineers have identified a 10m by 10m area in Jezero that they're calling the "airfield". This is at one end of a 90m "flight zone", inside which perhaps five sorties will be performed. Perseverance will endeavour to record everything on camera. "We are going to do our very best to capture Ingenuity in flight," said Nasa engineer Farah Alibay. "We're going to be taking images, we're hoping to take video." This will be challenging, she cautioned. Both rover and helicopter function autonomously and carry separate clocks. The timing devices will need to be in sync for the photography to catch the action.

Too many young people around the world are excluded from accessing the web, and getting them online should be a priority for the post-Covid era, Tim Berners-Lee has said. From a report: In a letter published to mark the 32nd birthday of the web, its founder says the opportunity "to reimagine our world and create something better" in the aftermath of Covid-19 must be channelled to getting internet access to the third of people aged between 15 and 24 who are offline. "The influence of young people is felt across their communities and online networks," Berners-Lee writes. "But today we're seeing just a fraction of what's possible. Because while we talk about a generation of 'digital natives,' far too many young people remain excluded and unable to use the web to share their talents and ideas.

"A third of young people have no internet access at all. Many more lack the data, devices and reliable connection they need to make the most of the web. In fact, only the top third of under-25s have a home internet connection, according to Unicef, leaving 2.2 billion young people without the stable access they need to learn online, which has helped so many others continue their education during the pandemic." Even though young people are more likely than the typical global citizen to have internet access -- roughly half the world is online, but the figure rises to 70% of people aged between 15 and 25 -- Berners-Lee argues that aiming to connect every young person in the world to the web would reap dividends. He also says doing so would be relatively cheap compared with the cost of many government programmes launched over the last 12 months. He estimates that an investment of $428bn over the next decade would provide everyone with a quality broadband connection.